Note: CESG’s Cloud Security Guidance is currently in ALPHA. Please send any feedback to the address [email protected].

This document describes principles which should be considered when evaluating the security features of cloud services. Some cloud services will provide all of the security principles, while others only a subset. It is for the consumer of the service to decide which of the security principles are important to them in the context of how they expect to use the service.

Some serviceThe security principles are part of the Cloud Security Guidance, which also includes guidance on implementing the principles and risk managing the use of cloud services. Service providers may take different approaches in implementing the principles, which will be able to offer higher attract different levels of confidence in how they implement the different security principles.risk. Risks associated with common implementation methods are set out in the guidance. Consumers will need toshould decide how much, if any, assurance they require in the different security principles which matter to themimplementation approaches.

These principles apply equally to Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software as a Service (SaaS) as defined by NIST.

1. Data in transit protection

The confidentiality and integrity of Consumer data transiting networks should be adequately protected whilst in transit.

The following aspectsagainst tampering and eavesdropping (integrity and confidentiality). This should be specifically considered:

Consumer via a combination of network protection (denying your attacker access to service

Withinintercept data) and encryption (denying the service (ability to for example, betweenan attacker to read data centres)).

2. Asset protection and resilience

Data should be physically secure as it is processed by and stored within the service. This security should be based on suitable physical security controls within data processing, storage and management locations.

The business requirements for availability of the service should be an important consideration when choosing a cloud service. The consumer should ensure that a contractual agreement is in place with the service provider which adequately supports their business needs for availability of the service.

The legal jurisdiction of the service will be an important consideration for many consumers, especially if they wish to use the service to store or process personal data. This principle depends on the physical locations of processing, storage, transit and management of the service.

The following aspects should be specifically considered:

Location of data centres hosting the service

Security surrounding those data centres

Location of service management facilities

How the confidentiality and integrity of data-at-rest will be maintained

Availability of the service

Consumer data, and the assets storing or processing it, should be protected against physical tampering, loss, damage or seizure.

3. Separation between consumers

Separation should exist between different consumers of a service should be achieved at all points within the service, including across compute, storage and networking resources.

An important consideration will be whether the service isto prevent a public, private,malicious or community, shared cloud service; if all tenantscompromised consumer from affecting the confidentiality, integrity or availability of the service are known to be trustworthy then less confidence in the separation propertiesanother consumer of the service may be acceptable.

4. Governance

The service provider should have a security governance framework that coordinates and directs their overall approach to the management of IT systems, services and information. A clearly identified, and named, senior executive should be responsible for security of the cloud servicethe service and information within it.

5. Operational security

The service provider should have processes and procedures in place to ensure the operational security of the service.

The following aspects should be specifically considered:

Configuration and change management

Vulnerability management

Protective monitoring

Incident management

6. Personnel security

Service provider staff should be subjected to adequate personnel security screening for their role. At a minimum this should include identity, unspent criminal convictions, and right to work checks. For roles with a higher level of service access, the service provider should undertake and maintain appropriate additional personnel security checksand security education for their role.

7. Secure development

The serviceServices should be designed and developed in a secure fashion and should evolve to identify and mitigate new threats as they emergeto their security.

8. Supply chain security

Cloud services often rely upon third party services. Those third parties can have an impact on the overall security of the services. The service provider should ensure that its supply chain satisfactorily supports all of the security principles that the service claims to deliverimplement.

9. Secure consumer management

Consumers should be provided with the tools they needrequired to help them securely manage their usage of the service.

The following aspects should be specifically considered:

Authentication of consumers to management interfaces

Separation of consumers within management interfaces

Authentication of consumers within support channels

Separation of consumers within support channels

10. Secure on-boardingIdentity and off-boardingauthentication

The service should be provisioned to consumers in a known good state, and their data must be satisfactorily deleted when they leave the service. When physical storage components reach their end of life, the service provider should make appropriate arrangements to securely destroy or purge any consumer data they held.

Consumer and service provider access to all service interfaces should be constrained to authenticated and authorised individuals.

11. ServiceExternal interface protection

All external or less trusted interfaces of the service should be identified and have appropriate protections to defend against attacks through them.

The following aspects should be specifically considered:

Connections to external services on which the service depends

Dedicated connections to tenants

Remote access by service provider

Publicly exposed services

12. Secure service administration

The methods used by the service provider’s administrators to manage the operational service (monitor system health, apply patches, update configuration etc.) should be designed to mitigate any risk of exploitation which could undermine the security of the service. The security of the networks and devices used to perform this function should be specifically considered.

13. Audit information provision to tenantsconsumers

Consumers should be provided with the audit records they need in order to monitor access to their service and the data held within it.

14. Secure use of the service by the consumer

Consumers will have certain responsibilities when using thea cloud service in order for their use of it to remain secure, and for their data to be adequately protected.

Depending on the type of service, the consumer will have responsibilities relating to the following topics:

Audit and monitoring

Storage

Networking

Authentication

Development security

End user devices used to access the service

Secure configuration of the service

Patching

15. Glossary

Management interface a service exposed to consumers or service provider administrators to allow administrative tasks to be performed.

Support channel an online, or out of band (e.g. telephone), communication channel which consumers can use to obtain support from the service provider.

On-boarding the process of a consumer moving on to the service.

Off-boarding the process of migrating a consumer away from a service.

Public, private and community cloud refer to the NIST definitions of these terms.

Sunday, 13 April 2014

What's the difference between IaaS, PaaS and SaaS? There still seems to be confusion especially about PaaS. I hope this will help.

Consider what lies behind using a software application, like email. (I will be simplifying and generalising below, to get the point across, so no need to point out eg that some languages are interpreted, that some programs can be run directly without installation, and that PaaS applications may need to be coded to integrate with the specific PaaS provider’s libraries!).

The application is coded – someone writes the application in a programming language like C++, Python etc.

The application is compiled – the code is converted into a form that can be run on a particular operating system eg Windows, Mac, Linux, Android, iPhone (iOS) etc.

The application is acquired – eg downloaded from a website, obtained on DVD.

The application is installed on the operating system – eg doubleclicking an .msi file in Windows.

The application is run and used by the user – eg doubleclicking on the program filename.

Non-cloud – the end user of the application typically only takes steps 3-5, or even just 5 on a corporate network where the IT department has already taken care of 3 and 4.

SaaS – the cloud user only takes step 5, typically by logging into the SaaS service over the Internet (or company network) to access the application, instead of clicking on a local program name; the SaaS provider takes care of all the rest.

IaaS – the cloud user must take care of ALL of steps 1-5. In addition (consider this a step 3.5!) it must also manage its own VMs including creating VMs and installing the operating systems on its VMs (though it can use snapshots). But it could use someone else’s code (eg open source software) rather than writing the code itself (in which case it skips step 3). Or it could use someone else’s application, go straight to step 3 and install the application in its cloud VM on top of the operating system it installed, assuming the application licence allows installations in VMs. In step 5 the individual end users could be the employees of the cloud user organisation, or its customers, or both.

PaaS – the cloud user only takes care of step 1, again writing its own code (normally using an SDK or software development kit downloadable from the provider) or obtaining code from elsewhere. The PaaS provider handles steps 2-4. Step 1 can be and is often done locally, then the code is uploaded to the PaaS provider. Again, in step 5 the end users could be employees of the cloud user organisation or its customers. Hence startups offering new services over the web, eg mobile applications, like using IaaS or PaaS because they don’t have to buy equipment to service their customers, they can just focus on running their systems (in IaaS) and coding (in both). With PaaS, they don’t even have to manage IT systems - they can concentrate just on coding. Hence the ‘platform’ in PaaS – it provides a ‘platform’ for PaaS users to code their applications, deploy their applications (to servers provided by the PaaS provider) and host their applications (on servers provided by the PaaS provider), so that the applications are available for use by their end users over the Internet or corporate network.